|
Hello, I was wondering about this issue I entered: http://www.ja-sig.org/issues/browse/CASC-88 I was wondering whether I will have to work around this myself or whether I could expect a release in which this will be fixed within a month or so? (I want to phrase this nicer but my English is not good enough, I want to say that I want to know what I can expect, not that I expect it....). I have no real idea on how often releases of the CAS client are made (3.1.3 is the previous I can download, and that is from June 2008). I do see it correctly right that not being able to specify allowedProxyChains in a proxy authentication scenario is a big security risk. A malicious web application could have the user do a single sign on action on the CAS server for itself, and then request any user priviliged information from web applications that allow proxying and use the same CAS server? Kind regards, --Sander. -- |
- [cas-user] Vote for a bug? Sander Bos
- Re: [cas-user] Vote for a bug? Scott Battaglia
- Re: [cas-user] Vote for a bug? Sander Bos
- Re: [cas-user] Vote for a bug? Marvin Addison
- Re: [cas-user] Vote for a bug? Scott Battaglia
